A critical authentication bypass in WHM and cPanel (CVE-2026-41940) is being mass-exploited to breach servers and deploy a Linux encryptor used in βSorryβ ransomware attacks. At least 44,000 cPanel hosts have been compromised and hundreds of affected sites are indexed by Google, so administrators must apply the emergency update immediately to prevent further encryption and data theft. #CVE-2026-41940 #SorryRansomware
Keypoints
- CVE-2026-41940 is an authentication bypass in WHM and cPanel that allows unauthorized control panel access.
- Attackers are exploiting the zero-day to breach servers and deploy a Go-based Linux encryptor that appends the .sorry extension.
- The Sorry encryptor uses ChaCha20 with the encryption key protected by an embedded RSA-2048 public key, preventing decryption without the private key.
- Shadowserver reports at least 44,000 compromised cPanel IP addresses, and hundreds of compromised sites have been indexed by Google.
- All cPanel and WHM users are urged to install the emergency security update immediately to mitigate ongoing ransomware attacks and data theft.